Move MIME handling to systemd services (boot provisioning) #2033
Conversation
debian/securedrop-workstation-config.mime-handling-default.service
Outdated
Show resolved
Hide resolved
debian/securedrop-workstation-config.mime-handling-sd-viewer.service
Outdated
Show resolved
Hide resolved
|
Added a caveat that may need some consideration: https://github.com/freedomofpress/securedrop-client/pull/2033/files#r1616905179 |
|
The test plan currently says:
It's supposed to be |
debian/securedrop-workstation-config.securedrop-mime-handling.service
Outdated
Show resolved
Hide resolved
|
Is it worth squashing some of the commits for a cleaner history? I went back and forth on services names, etc. So the history is a bit messy. I'm happy to reorganize the commit history to it makes more sense. Anyways, I'm fine with following standard practice. Just flagging because this PR had lots of changes like that. |
deeplow
force-pushed
the
mime-systemd-provisioning
branch
from
ecabf7c
to
76daa81
Compare
|
Rebased to resolve the merge issue. I played a bit around with the git history to make it a bit more linear and without so much back and forth. Unfortunately it's rather convoluted and the most pragmatic option is to just all commits. However, we may loose some context on decisions. @legoktm what's the general development practice on securedrop regarding changing the git history in situations like this? |
|
@deeplow feel free to squash it down to a single commit before merge if you like - it's not a massive change and is well-contained. |
Merging it like this is historically what the SD team has done, and that's fine. Personally I like to spend no more than 20 minutes rebasing it into a few logical commits (and sometimes that ends up being just one commit!). Any decisions that you think are important to document should be explained in the commit message or leave a comment in the file itself. |
Fixes freedomofpress/securedrop-workstation#1042, complemented by freedomofpress/securedrop-workstation#1043. Implemention reasoning: - Failure to setup leads shutdown to make this security-critical component loud on failures - Running in disp. templates fails (e.g. sd-viewer) to prevent populating user's home directory, thus contaminating all disposables based on them. - MIME-handling behavior set via qubesdb - pass vm-specific data via the vm-config qubes feature (accessible through QubesDB) [1]. - Started after rsyslog.service to allow failure logging [1]: https://dev.qubes-os.org/projects/core-admin-client/en/latest/manpages/qvm-features.html#vm-config
deeplow
force-pushed
the
mime-systemd-provisioning
branch
from
76daa81
to
21a1ec3
Compare
|
Thanks for the input. I have decided to squash the commits. |
|
Thanks, I think we're all set here. 👀 over to the workstation PR now :) |
| # sd-app as the only valid non-disposable. | ||
| persistent_home = QubesDB().read("/qubes-vm-persistence").decode() != "none" | ||
| vm_name = QubesDB().read("/name").decode() | ||
| if persistent_home and vm_name != "sd-app": |
There was a problem hiding this comment.
This triggers an interesting side effect - it's now impossible to start the sd-viewer VM because this unit will exit 1 and trigger systemd-halt.
|
On Thu, May 30, 2024 at 01:20:52PM -0700, Kunal Mehta wrote:
Just for convention with other places, let's call this
`SD_MIME_HANDLING`
Really for the interchangeability of environment and QubesDB variables.
:-) Captured in
<https://wiki.freedom.press/w/index.php?title=SecureDrop_Development/Principles_and_assumptions&diff=prev&oldid=6126>.
|
|
Should there be a wrapper that makes them actual env vars and then only access those from within our programs? As a side-effect, tests could work outside of Qubes systems. |
See proposal and decision in freedomofpress/securedrop-workstation#1013 |
Status
Ready to review.
Description
Fixes freedomofpress/securedrop-workstation#1042.
Fixes freedomofpress/securedrop-workstation#615.
sd-proxydisposable (by creating ansd-proxy-dvm)sd-*-dvmexist only because we can't create one from the template, directly (filed an upstream issue on that Let Named Disposables be based on Templates directly QubesOS/qubes-issues#9266 -> duped to Allow disposable qubes to be based directly on regular templates QubesOS/qubes-issues#6720)Test Plan
make devmake build-debssecuredrop-workstation-config.debpackage to dom0 and from there to both templates (sd-small-*andsd-large-*).sd-proxyis disposablesd-proxyand:/home/user/.local/share/applications/mimeapps.list -> /opt/securedrop/mimeapps.list.default/home/user/.mailcap -> /opt/securedrop/.mailcap.defaultsd-proxy-dvmand confirm the following files (or parent directory) do NOT exist:/home/user/.local/share/applications/mimeapps.list/home/user/.mailcapsd-viewerand:/home/user/.local/share/applications/mimeapps.list -> /opt/securedrop/mimeapps.list.sd-viewer/home/user/.mailcap -> /opt/securedrop/.mailcap.defaultsd-devices-dvmand confirm the following files (or parent directory) do NOT exist:/home/user/.local/share/applications/mimeapps.list/home/user/.local/.mailcapsd-devicesand:/home/user/.local/share/applications/mimeapps.list -> /opt/securedrop/mimeapps.list.sd-viewer/home/user/.mailcap -> /opt/securedrop/.mailcap.defaultChecklist
If these changes modify code paths involving cryptography, the opening of files in VMs or network (via the RPC service) traffic, Qubes testing in the staging environment is required. For fine tuning of the graphical user interface, testing in any environment in Qubes is required. Please check as applicable:
If these changes add or remove files other than client code, the AppArmor profile may need to be updated. Please check as applicable:
If these changes modify the database schema, you should include a database migration. Please check as applicable:
mainand confirmed that the migration is self-contained and applies cleanlymainand would like the reviewer to do so